PsExec Passes Credentials in Clear Text

PsExec can be a very useful tool during incident response and live forensics work. For those that don’t know, PsExec is a tool that can be used to execute commands on a remote Windows computer andwas initially developed by Sysinternals, which is now owned by Microsoft (additional details can be found on PsExec’s webpage).

However, it seems that PsExec has one significant shortfall – when utilizing the tool one must provide administrator-level credentials for the remote PC. These credentials are passed in the clear to the remote workstation (thus exposing the credentials to anyone who happens to be “listening in”). Thankfully, there is a workaround that can prevent this exposure from occurring, which involves connecting to the $IPC share on the target workstation first (with the admin credentials), prior to executing PsExec.